In response to growing reliance on vendors and fintech partners, U.S. banking regulators moved to align expectations for third-party risk management. The agencies originally published a proposal in 2021 and issued a final interagency guidance in June 2023 that sets out risk-based principles across the life cycle of third-party relationships. The guidance is intended to be flexible and scalable so banks can tailor practices to their size, complexity and the criticality of each relationship.

Why regulators acted

Banks increasingly outsource technology, payments, cloud services and customer-facing functions to third parties. That trend raises operational, resilience and cyber risk concerns — particularly where a single cloud provider or fintech becomes critical infrastructure. Regulators aim to ensure banks retain robust oversight, perform adequate due diligence, and maintain continuity plans to limit service disruption and protect consumers. This shift mirrors parallel international moves to tighten outsourcing rules.

Core elements of the guidance

The guidance describes a lifecycle approach to third-party relationships and highlights several foundational practices:

Inventory and risk assessment. Maintain a complete inventory of third-party relationships and perform periodic risk assessments to determine the risk level and oversight needed.
Tailored, risk-based oversight. Not all relationships present the same risk; banks should scale controls and monitoring according to the activity’s risk and criticality.
Robust due diligence and selection. Before contracting, banks should evaluate a vendor’s financial condition, operational controls, cybersecurity posture and subcontracting plans.
Contractual controls and exit planning. Contracts should include clear service levels, audit rights, data-use limits, subcontractor transparency and well-defined termination and exit strategies to avoid operational gaps.
Ongoing monitoring and testing. Continuous performance monitoring, periodic risk reassessments, and testing of continuity plans are required — especially for high-risk or critical services.

What banks need to do now

Banks should treat the guidance as a blueprint for strengthening existing third-party risk management programs:

Update inventories & risk categorizations. Ensure every vendor is logged and categorized by risk and criticality.
Revisit contracts. Add or enhance clauses on audit rights, data protection, subcontracting, and exit assistance.
Enhance vendor due diligence. For critical vendors, require independent audit reports, penetration testing results, and continuity plans.
Boost governance. Boards and senior management should receive regular reporting on third-party risk — the guidance emphasizes accountability aligned to the organization’s risk profile.
Prepare for supervision. Examiners will expect evidence of a risk-based program: inventories, risk assessments, board oversight, contracts, monitoring logs and continuity testing.

Implications for fintechs and service providers

Fintechs and cloud providers should anticipate more rigorous inquiries from bank clients. Expect requests for transparency on subcontractors, stronger SLAs, independent security attestations, and support for banks’ supervisory reporting. Building easy-to-share compliance packages and transparency in incident response plans will be competitive advantages.

Tailoring for community banks

Regulators recognize that smaller institutions have different resource constraints. In 2024, the agencies published supplemental material aimed at community banks with practical examples and considerations for scalable third-party risk programs. Community banks should use those resources to adapt the principles without over-engineering processes.

The global context

U.S. interagency guidance is part of a broader global trend: international bodies and national regulators (including the Basel Committee and the EU) are tightening outsourcing and operational resilience expectations, especially around cloud dependencies and cyber resilience. Banks with cross-border operations should align to both U.S. and international expectations.

Bottom line

The agencies’ proposed (and now finalized) guidance on third-party relationships signals a durable supervisory focus: banks must manage vendor risk in a risk-based, lifecycle approach that preserves operational resilience and consumer protections. For banks, the work is practical — inventory, assess, contract, monitor, and test — but it requires ongoing governance and documentation to satisfy regulators and to protect the institution and its customers.

Sky BlackBox

Sky BlackBox is AI-empowered Vendor Risk Management that maximizes security while minimizing effort. With a suite of three integrated apps, it addresses VRM challenges for clients, vendors, and service providers. Offering 470x more accuracy, 6x lower operational costs, and 9x faster results compared to traditional methods.

Sky BlackBox © L5, 100 Market St, Sydney, NSW 2000